dcrat | ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409

Analysis

max time kernel
119s
max time network
111s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Size

4.9MB
MD5

b01f6f3d873ab05578a58c77de3325e0
SHA1

8a0af4f893835a31fd5202c276c43b3a3e52d139
SHA256

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409
SHA512

8e564f46c0095bbcfe50bfd1b3043d3357f3afb41b6e030b2eb3790ca1a485007eec57f55928b4534104cd73594a805384370718eca48f6f2870937b311ad5f6
SSDEEP

49152:Dl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2576	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2576	schtasks.exe	31

UAC bypass 3 TTPs 30 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

csrss.execsrss.execcc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2672-3-0x000000001B6C0000-0x000000001B7EE000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1840	powershell.exe
824	powershell.exe
2940	powershell.exe
1520	powershell.exe
892	powershell.exe
2604	powershell.exe
2892	powershell.exe
888	powershell.exe
3048	powershell.exe
2044	powershell.exe
1668	powershell.exe
2876	powershell.exe

Executes dropped EXE 9 IoCs

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
1536	csrss.exe
2304	csrss.exe
2288	csrss.exe
1220	csrss.exe
1988	csrss.exe
1640	csrss.exe
2644	csrss.exe
1660	csrss.exe
1368	csrss.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execcc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 32 IoCs

Processes:

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\f3b6ecef712a24	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\Uninstall Information\Idle.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\Uninstall Information\Idle.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Office\886983d96e3d3e	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCXF374.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXF578.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCXFD88.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX1690.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RCXF77D.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\RCXFB84.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXE14.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\69ddcba757bf72	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\886983d96e3d3e	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\75a57c1bdf437c	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Reference Assemblies\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files (x86)\Reference Assemblies\1d0ce96da2bd6d	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Program Files\Uninstall Information\6ccacd8608530f	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\csrss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX148C.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Drops file in Windows directory 16 IoCs

Processes:

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

description	ioc	Process
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\IME\es-ES\RCX401.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\IME\es-ES\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\ehome\ja-JP\wininit.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\ehome\ja-JP\56085415360792	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Migration\WTR\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Resources\Ease of Access Themes\smss.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\Resources\Ease of Access Themes\69ddcba757bf72	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\IME\es-ES\spoolsv.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File created	C:\Windows\IME\es-ES\f3b6ecef712a24	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXF981.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\ehome\ja-JP\wininit.exe	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\Migration\WTR\RCXA0C.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
File opened for modification	C:\Windows\ehome\ja-JP\RCX1289.tmp	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2212	schtasks.exe
1172	schtasks.exe
2892	schtasks.exe
2768	schtasks.exe
1212	schtasks.exe
564	schtasks.exe
2164	schtasks.exe
2144	schtasks.exe
2268	schtasks.exe
1404	schtasks.exe
2988	schtasks.exe
1192	schtasks.exe
1256	schtasks.exe
2536	schtasks.exe
2620	schtasks.exe
2432	schtasks.exe
1892	schtasks.exe
1616	schtasks.exe
580	schtasks.exe
2292	schtasks.exe
1020	schtasks.exe
1932	schtasks.exe
2300	schtasks.exe
1456	schtasks.exe
1512	schtasks.exe
2792	schtasks.exe
1720	schtasks.exe
596	schtasks.exe
1908	schtasks.exe
956	schtasks.exe
2880	schtasks.exe
2304	schtasks.exe
3036	schtasks.exe
1996	schtasks.exe
1684	schtasks.exe
996	schtasks.exe
2940	schtasks.exe
1536	schtasks.exe
2348	schtasks.exe
2184	schtasks.exe
2992	schtasks.exe
2728	schtasks.exe
2288	schtasks.exe
2864	schtasks.exe
1772	schtasks.exe
2708	schtasks.exe
664	schtasks.exe
1776	schtasks.exe
348	schtasks.exe
1460	schtasks.exe
812	schtasks.exe
392	schtasks.exe
1620	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

pid	Process
2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
824	powershell.exe
2604	powershell.exe
3048	powershell.exe
2892	powershell.exe
2876	powershell.exe
892	powershell.exe
2044	powershell.exe
1520	powershell.exe
1840	powershell.exe
2940	powershell.exe
1668	powershell.exe
888	powershell.exe
1536	csrss.exe
2304	csrss.exe
2288	csrss.exe
1220	csrss.exe
1640	csrss.exe
2644	csrss.exe
1660	csrss.exe
1368	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	pid	Process
Token: SeDebugPrivilege	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1536	csrss.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2304	csrss.exe
Token: SeDebugPrivilege	2288	csrss.exe
Token: SeDebugPrivilege	1220	csrss.exe
Token: SeDebugPrivilege	1640	csrss.exe
Token: SeDebugPrivilege	2644	csrss.exe
Token: SeDebugPrivilege	1660	csrss.exe
Token: SeDebugPrivilege	1368	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.execsrss.exeWScript.execsrss.exeWScript.execsrss.exeWScript.exe

description	pid	Process	procid_target
PID 2672 wrote to memory of 1840	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2672 wrote to memory of 1840	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2672 wrote to memory of 1840	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	86
PID 2672 wrote to memory of 888	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2672 wrote to memory of 888	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2672 wrote to memory of 888	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	87
PID 2672 wrote to memory of 824	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2672 wrote to memory of 824	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2672 wrote to memory of 824	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	88
PID 2672 wrote to memory of 3048	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2672 wrote to memory of 3048	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2672 wrote to memory of 3048	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	89
PID 2672 wrote to memory of 2940	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2672 wrote to memory of 2940	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2672 wrote to memory of 2940	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	90
PID 2672 wrote to memory of 1520	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2672 wrote to memory of 1520	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2672 wrote to memory of 1520	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	91
PID 2672 wrote to memory of 2044	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	92
PID 2672 wrote to memory of 2044	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	92
PID 2672 wrote to memory of 2044	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	92
PID 2672 wrote to memory of 892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	93
PID 2672 wrote to memory of 892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	93
PID 2672 wrote to memory of 892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	93
PID 2672 wrote to memory of 1668	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	94
PID 2672 wrote to memory of 1668	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	94
PID 2672 wrote to memory of 1668	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	94
PID 2672 wrote to memory of 2604	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	95
PID 2672 wrote to memory of 2604	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	95
PID 2672 wrote to memory of 2604	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	95
PID 2672 wrote to memory of 2876	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	96
PID 2672 wrote to memory of 2876	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	96
PID 2672 wrote to memory of 2876	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	96
PID 2672 wrote to memory of 2892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	97
PID 2672 wrote to memory of 2892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	97
PID 2672 wrote to memory of 2892	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	97
PID 2672 wrote to memory of 1536	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	110
PID 2672 wrote to memory of 1536	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	110
PID 2672 wrote to memory of 1536	2672	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe	110
PID 1536 wrote to memory of 2524	1536	csrss.exe	111
PID 1536 wrote to memory of 2524	1536	csrss.exe	111
PID 1536 wrote to memory of 2524	1536	csrss.exe	111
PID 1536 wrote to memory of 2972	1536	csrss.exe	112
PID 1536 wrote to memory of 2972	1536	csrss.exe	112
PID 1536 wrote to memory of 2972	1536	csrss.exe	112
PID 2524 wrote to memory of 2304	2524	WScript.exe	113
PID 2524 wrote to memory of 2304	2524	WScript.exe	113
PID 2524 wrote to memory of 2304	2524	WScript.exe	113
PID 2304 wrote to memory of 2992	2304	csrss.exe	114
PID 2304 wrote to memory of 2992	2304	csrss.exe	114
PID 2304 wrote to memory of 2992	2304	csrss.exe	114
PID 2304 wrote to memory of 2320	2304	csrss.exe	115
PID 2304 wrote to memory of 2320	2304	csrss.exe	115
PID 2304 wrote to memory of 2320	2304	csrss.exe	115
PID 2992 wrote to memory of 2288	2992	WScript.exe	116
PID 2992 wrote to memory of 2288	2992	WScript.exe	116
PID 2992 wrote to memory of 2288	2992	WScript.exe	116
PID 2288 wrote to memory of 1692	2288	csrss.exe	117
PID 2288 wrote to memory of 1692	2288	csrss.exe	117
PID 2288 wrote to memory of 1692	2288	csrss.exe	117
PID 2288 wrote to memory of 3048	2288	csrss.exe	118
PID 2288 wrote to memory of 3048	2288	csrss.exe	118
PID 2288 wrote to memory of 3048	2288	csrss.exe	118
PID 1692 wrote to memory of 1220	1692	WScript.exe	119

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

Processes:

csrss.execsrss.execcc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.execsrss.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe
"C:\Users\Admin\AppData\Local\Temp\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
  "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07a3ba93-b684-4c6d-b5f4-e8604545b8a4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
      "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2304
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b161aeba-6b57-4398-955b-529661a49491.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        6⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae33184f-4a75-464d-a8c2-e3dd5849bf5b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        8⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75cb2286-c8f2-4e23-ba8f-cbe2a2bcedbf.vbs"
        9⤵
        
        PID:2192
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        10⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        System policy modification
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e1b66d0-9abc-4196-baa2-76bd46bf882b.vbs"
        11⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        12⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83763bb2-0e6a-4453-9697-c0f5afe8fea8.vbs"
        13⤵
        
        PID:328
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        14⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60eaf15f-4fd2-438a-9964-e30e284962dd.vbs"
        15⤵
        
        PID:1300
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        16⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed5da289-c085-40a1-b9d8-07847e353a1c.vbs"
        17⤵
        
        PID:1608
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe"
        18⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1bab0440-f4ac-43b6-a144-23989db1914f.vbs"
        19⤵
        
        PID:1480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2cee77e4-3fcb-4b5b-93bb-37693b03cf7e.vbs"
        19⤵
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf451ffc-0f00-4575-b313-80b2dd357f07.vbs"
        17⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\222be9d7-3d38-44dc-8f88-b95a766c2d00.vbs"
        15⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16657c62-9f33-44d3-a3d9-943a70958a6e.vbs"
        13⤵
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00b455ff-e1b7-4184-ad25-e94b147c3ba0.vbs"
        11⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c663017-ab28-410b-8238-ef335fa9fcb0.vbs"
        9⤵
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\902df819-c8a5-4b7c-857a-2495591a8f8b.vbs"
        7⤵
        
        PID:3048
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f9ce6bf-7b20-4ff7-9df1-2b6a7d0c95bb.vbs"
        5⤵
        
        PID:2320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa60931c-db44-462c-8c3a-15ed00f02bf2.vbs"
    3⤵
    PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409Nc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\WMIADAP.exe

Filesize
4.9MB

MD5
b01f6f3d873ab05578a58c77de3325e0

SHA1
8a0af4f893835a31fd5202c276c43b3a3e52d139

SHA256
ccc5b9b76a1bc6c55bef142f7269d99a128351775fd3e1cd8a289ff290bc9409

SHA512
8e564f46c0095bbcfe50bfd1b3043d3357f3afb41b6e030b2eb3790ca1a485007eec57f55928b4534104cd73594a805384370718eca48f6f2870937b311ad5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\07a3ba93-b684-4c6d-b5f4-e8604545b8a4.vbs

Filesize
755B

MD5
5cd887364e9eb4aa460e173f2a99dd22

SHA1
fa37503d536f41c5cdcc197679ccfb51fed5c056

SHA256
f93431ca2cf50b6868a1a11c5ffc47a46c3777b82b8eb62406dd91af74c599c1

SHA512
d923d88e93d4a9a2036eb121c4c98a882f4662aecf98dbe15c7e1e49335c54323e7900293a9e14d71286f03daa9b726096044a20a93dc35724fbc4efd9dc757a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bab0440-f4ac-43b6-a144-23989db1914f.vbs

Filesize
755B

MD5
cb30fa05f800a0fea637cf87f822363e

SHA1
358ca5bea36b3253e7f97aebeede8af5af32a6a5

SHA256
10a232bc046d4a200a54352badefe4301cc86612dca81b763dbc9501e99a2b3e

SHA512
ae5886e1fb34aa10f442ac52eee1b5c00879d280829f8645987e01c2b09fe52f0f8738048ecce14c0f7afbf82341b5077256cbcb708ce688e4613fa0862a27cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\60eaf15f-4fd2-438a-9964-e30e284962dd.vbs

Filesize
755B

MD5
8b84d353d6062ccc0aae5431cc4f58a3

SHA1
dffd72093533046bec64121918a70c3fcc9c4181

SHA256
a417126603253e741e559105e021e9a9889a76439a67d31bb2e76cbb6e3dbfe8

SHA512
4808aeb5113529ab7c17008b8e7441114a2b97d20a938dee6b5000957b28dc72508d37e418082c86fe9f5161d72d9c260b1157e7577bb3ae7a6a3235e1497780

Download Submit
C:\Users\Admin\AppData\Local\Temp\75cb2286-c8f2-4e23-ba8f-cbe2a2bcedbf.vbs

Filesize
755B

MD5
180d3c6a14d87476ec1400c1d081cf50

SHA1
81971a9a131ac3bafe097cbc1db394d4e498410f

SHA256
b07724597c21c988334c4b608773b95eadc9e4efc3ecca44518eaa647a1688db

SHA512
7a9429e72b6f3cf16bd82b9a1e9b77ac2a31eec9f52a3a4df3262f29788632ef5cbc129f43fb0e4cf8504844c9e4e302b8879c994628e2d7b5ef1ac606f6298e

Download Submit
C:\Users\Admin\AppData\Local\Temp\83763bb2-0e6a-4453-9697-c0f5afe8fea8.vbs

Filesize
755B

MD5
a86aef369ac72bc8164c028f92dfb852

SHA1
2e7fc47e1e164b71cc7a3a300dc488cab82a3f01

SHA256
7f5fce3835c3b3052f87bc723211741ce27a8864587c9219f0876870a1d84065

SHA512
4c1917a77ada202ce956d2d679c18ee0404ec096bae1516baf4179e390647d8783bc1219f66b39a9b1a63a67705f62a7554d74696cca31068c8a21d1be410a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae33184f-4a75-464d-a8c2-e3dd5849bf5b.vbs

Filesize
755B

MD5
04e0c32017e6cc36c4c17c09aea3b3be

SHA1
50981582cbf838f34f7688f509ded8a0fdcad219

SHA256
15a8858bb5ad4daf7ac6d7b25e9f7dfbbf4e236cf39e30960d11b63d4c32b04e

SHA512
ff3867cc9437d730d4d978336b5004fcbfb965b419205acb38a6027b5063a64f98df1549c993a8e8805f59f4a8b20a9a2c022c188a8c5a5d78757691c0db832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b161aeba-6b57-4398-955b-529661a49491.vbs

Filesize
755B

MD5
af86264f140b5eab5bd868836fb64297

SHA1
e9dd4d9a756fbac5b31607a7efd0c3402d4da2ed

SHA256
85647f69590b50118e86154735e6f6a4ccae71d534298282d92f7b5b96e7b11f

SHA512
511f97c94848bf7d4ce069fc923e029aad77154ae6cf1503868cf148f4026ccd022991f869caf6c42c06772742dde5306af768564a8361b320a4d39850b88e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed5da289-c085-40a1-b9d8-07847e353a1c.vbs

Filesize
755B

MD5
9fa0fc7aa0df4da41f1ff0a80e10ea77

SHA1
cda0c88ef4fee75815039ab472355bae51d3dd07

SHA256
3f20e4536d74e87fcb4d29bdf6e7c0847e4afc4de7a93592fc1bbab72195d7b5

SHA512
92d23b5a6caf7f521fbaf58219f958a0fac83caa92d91a2e4f841e62079612b48c5fed2f7e5e354f4ae2b368d0953e096dddd698df83788c8d21807ed64a783d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa60931c-db44-462c-8c3a-15ed00f02bf2.vbs

Filesize
531B

MD5
8c55716631da58fcef4c48a6fa764790

SHA1
dc91414637ff74c5ef28d89987567cdc35dcaa71

SHA256
53cc10536038a896334746b4f8883237faf0f4b82ce1c104e5f24a291c5a6232

SHA512
a9a2874a9e653eff5ff906de288c99cf4aa4e73edb28d7d47ede2f1264d9d8d022055245cd7c7bc4e4ebc533b399aab029a5cb9a5eaeb380a0d0b37ac2b6d253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp256B.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PPV84H61L8U6L7JW8D4C.temp

Filesize
7KB

MD5
7482f89ea38d9b3430cc02042773da11

SHA1
5169d67d0b6d6bc5f9ebf9c4c929e3d512da6ae7

SHA256
d40a7303205a1cd55679d4494622c93436c4de4b8627dc3938b5d14a5b241da8

SHA512
00899decdc2d995f01a6a11f7206d34b1ce6989f02a503908ced6487ed7882399754bd5c9de2bf95c0f168201e9782743ad1ef020a2f6cb770de0c50ed7ecd21

Download Submit
memory/824-210-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1368-351-0x00000000008E0000-0x0000000000DD4000-memory.dmp

Filesize
5.0MB

Download
memory/1536-190-0x0000000000DD0000-0x00000000012C4000-memory.dmp

Filesize
5.0MB

Download
memory/1640-307-0x0000000001380000-0x0000000001874000-memory.dmp

Filesize
5.0MB

Download
memory/1660-336-0x0000000000050000-0x0000000000544000-memory.dmp

Filesize
5.0MB

Download
memory/1988-304-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp

Filesize
9.9MB

Download
memory/2604-212-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2672-9-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/2672-11-0x00000000024B0000-0x00000000024BA000-memory.dmp

Filesize
40KB

Download
memory/2672-162-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2672-148-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

Filesize
4KB

Download
memory/2672-14-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2672-16-0x0000000002700000-0x000000000270C000-memory.dmp

Filesize
48KB

Download
memory/2672-15-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download
memory/2672-12-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/2672-13-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/2672-189-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2672-10-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/2672-0-0x000007FEF61E3000-0x000007FEF61E4000-memory.dmp

Filesize
4KB

Download
memory/2672-8-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/2672-7-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2672-6-0x0000000000950000-0x0000000000960000-memory.dmp

Filesize
64KB

Download
memory/2672-5-0x0000000000530000-0x0000000000538000-memory.dmp

Filesize
32KB

Download
memory/2672-4-0x0000000000510000-0x000000000052C000-memory.dmp

Filesize
112KB

Download
memory/2672-3-0x000000001B6C0000-0x000000001B7EE000-memory.dmp

Filesize
1.2MB

Download
memory/2672-2-0x000007FEF61E0000-0x000007FEF6BCC000-memory.dmp

Filesize
9.9MB

Download
memory/2672-1-0x00000000009A0000-0x0000000000E94000-memory.dmp

Filesize
5.0MB

Download